πŸ› οΈ Memory Acquisition and Analysis Toolkit


Created: 12.10.2020

If this system is running, capture the memory. Should be the first task. Memory stomping issues. Benchmark testing to determine RAM footprint, speed, writes etc.

Benchmark the tools. DumpIt - lightweight, Magnet RAM, Belkasoft, FTK (slow, highest footprint), Redline, Fast Dump (fdpro.exe).

Media matters. SSD, USB vs Magnetic media evidence disk (HDD)? USB 3 is cool. Storage check at least 1/3 more then the collected. Magnetic cheap, 2-4 Gb.

VM vs physical. Different concerns.

Validate Tools

Document the changes that you are making. Know your tools πŸ› ! What changes they are making (see)?

🧰 Validate your tools. Tools used need to be periodically validated before each analysis. For example, check that your wiping software has thoroughly WIPED the drive you will be using for the evidence collection (for example, by running a checksum64 against it).

Choose the appropriate one. Below are some questions to ask to decide.

Example 1. Logging in remotely to collect artefacts and run preinstalled UI admin tools:

Question Answer
Easy to collect artefacts? Hard 🧱: Many non-DFIR tools
Easy to connect remotely? Easy πŸ’Έ: if the remote connection is allowed
Identify relevant data. Hard 🧱: not DFIR specific
Pivoting Hard 🍯-🧱: Depends
Scaling Hard 🧱: one at a time

Example 2. Logging in remotely to collect artefacts with cmd tools:

Question Answer
Easy to collect artefacts? Medium 🍯. Many tools, but they can be scripted. Generally free.
Easy to connect remotely? Hard 🧱: have to copy tools to the system.
Identify relevant data. Hard 🧱: not DFIR specific
Pivoting Hard 🧱: Many output files
Scaling Hard 🧱: one at a time

Example 3. Continuous monitoring:

Question Answer
Easy to collect artefacts? Easy πŸ’Έ: for artefacts being monitored. Hard 🧱: for others.
Easy to connect remotely? Easy πŸ’Έ: if configured.
Identify relevant data. Medium 🍯: depends on the tools.
Pivoting Medium 🍯: depends on the tools.
Scaling Easy πŸ’Έ: if monitoring is enabled

Example 4. Full image:

Question Answer
Easy to collect artefacts? Hard 🧱to get the full image, and also there is a need to parse it. But reliable.
Easy to connect remotely? Medium 🍯: depends
Identify relevant data. Medium 🍯: depends on the parser tool.
Pivoting Medium 🍯: depends on the parser tool.
Scaling Medium 🍯: depends on acquisition tools.
, they
Example 5. Cyber Triage:
Question Answer
Easy to collect artefacts? Easy πŸ’Έ: one exe for local or remote.
Easy to connect remotely? Easy πŸ’Έ: easy to send over network.
Identify relevant data. Medium 🍯: scores data.
Pivoting Easy πŸ’Έ: navigation via UI.
Scaling Multiple

Collection

Powershell is the best tool to automate and scale evidence collection across the enterprise.

Kansa

Not only for collection but also for analysis (stacking). It can be scaled. Suitable for acquisition across enterprises.

PowerShell (CSIRT-Collect.ps1)

Two directories: one with Winpmem and 7zip, another with Kape, copied from local install. Makes a RAM image, zips it and sends it to the network share. Cleans up the host under investigation after that. A handy thing: it’ll capture the OS build needed for vol2.py for profiling.

Then, it launches KAPE, which performs triage.

KAPE (Kroll Artifact Parser & Extractor)

It seems to be very close to what the Kansa framework does. What’s the difference? Kansa for live response and hunt; KAPE for forensics. Also, it seems that Kansa is dying. Better explained here by sprint_ska; thanks, man. Also, Kansa relies on Windows built-in tools, while Kape doesn’t. Kansa scales better.

kape --tsource C: --target RegistryHives --tdest "\results" 
kape --tsource H --target !ALL --tdest "dir" --debug  
kape --msource β€œdir” --module LECmd --mdest "dir" --trace --debug

Winpmem

7zip

Arsenal Image Mounter

Magnet Axiom

πŸ’΄ Don’t forget it’s a paid tool. Nevertheless, it’s straightforward to use. Works for macOS as well.

Cyber Triage

Live, remote or image. Steps:

  1. Collect artefacts
  2. Score
  3. Review
  4. Deep Dive (optional)
  5. Report

We need to analyse user activity, find malware indicators and check whether configs were changed.

Awesome Incident Response

https://github.com/meirwah/awesome-incident-response

Hashing

Native Hashing Tools

Windows. certutil -file [filename] -hash [md5, sha1, sha256 etc.].

macOS. md5, shasum.

Linux. md5sum, sha256sum etc.

Disk Imaging

ftkimager

🐾 Footprint

Write Blockers

NIST about software write blocker:Β https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt/cftt-technical/software. Benchmark of different soft and hardware blockers:Β https://habr.com/ru/company/bizone/blog/320032/. https://youtu.be/r6-tsPUUhCU (video, Encase Image Extraction using Physical Write Blocker)

RAM Acquisition

There are both software and hardware-based tools.

osdf-troubleshooting-memory3ftkimager

osdf-troubleshooting-memory4

osdf-troubleshooting-memory5

osdf-troubleshooting-memory6

osdf-troubleshooting-memory7

osdf-troubleshooting-memory8

osdf-troubleshooting-memory9

osdf-troubleshooting-memory10

🐾 Footprint

The GUI version leaves a heavy footprint.

FTK Imager

⛔️ User mode

⚠️ Does not guarantee that the utility will not make write attempts to the target drive. Looks like it does write to the device -> use a write-protect device such as the Wiebetech Forensic Ultra Dock between the source and the target disks.

🐾 Footprint

Dumpit

⛔️ Kernel mode ⛔️ For Win7,8 and lower only. Tested on Win7. It causes a crash on Win10. It doesn’t work on Parallels VM (M1 MacBook)

🐾 Footprint

πŸ‘ Small footprint

Clutch

⛔️ For iOS only

🐾 Footprint

Frida

⛔️ Mobile jailbroken/rooted devices

Frida-ios-dump script is used to dump RAM for a process (only one process into which Frida was injected).

🐾 Footprint

Magnet RAM Capture

Kernel mode

🐾 Footprint

Belkasoft Live RAM Capture

⛔️ Kernel mode ⛔️ It uses a device driver to bypass user-space limitations; however, it has more impact on the operating system because of this. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 164). BCS Learning & Development Limited. Kindle Edition.

🐾 Footprint

WinDD

⛔️ Windows only (what a surprise, right? πŸ˜‚)

It can be used over the network or USB.

🐾 Footprint

πŸ‘ Footprint is ~ 1MB (2013)

dd

DD utility allows a raw dump of memory. noerror* - important not to stop the acquisition on errors.

… user-space-sourced copy of memory, so some protected memory regions will not be included in the image. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 165). BCS Learning & Development Limited. Kindle Edition.

πŸ“˜ BTFM

# HDD/SSD
sudo dd if=/dev/sdb of=/case1/diskb.dd

#RAM
# Windows
dd if= \.\\PhysicalMemory of=F:\Evidence\memory.dd conv=noerror

# UNIX
dd if= /dev/mem of=memory.dd conv=noerror
# or 
dd if= /dev/kmem of=memory.dd conv=noerror

🐾 Footprint

Goldfish

⚠️ Works up to macOS 10.5 (32bit)

🐾 Footprint

OSXpmem

It’s part of rekall.

…from both user and kernel space via a bundled driver. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 164). BCS Learning & Development Limited. Kindle Edition.

✍🏻 SIP needs to be disabled (reboot > CMD+R > Terminal > csrutil disbale > reboot). Otherwise, might run into this issue: dump_memory(833): Failed to load kext (No such process)

✍🏻 USB > Get Info > unlock πŸ”’ > Ignore ownership on this volume (check). Otherwise, you might run into this issue: Can’t load kext ./pmem.kext, as it is not owned by root:wheel. Just chowning didn’t work for me. When I unchecked it, replugged the USB, and decompressed the archive, I managed to get the dump without this error. ❗️ Restart the Terminal for changes to take place!

🐾 Footprint

⚠️ See comments. Due to these prerequisites, the footprint might be significant.

Redline

✍🏻 Create a collector first (a folder with a batch or shell script). Put on the USB drive and run on a target machine from there. A great tool to visualise the main things of RAM and quickly identify suspicious activity. The only one that works on a Parallels VM (M1 MacBook Pro). However, I did not encounter errors and could not analyse anything properly.

🐾 Footprint

Fmem

A Linux kernel module, Fmem creates a new virtual device on a machine called β€˜/dev/fmem’. The investigator or first responder can then use dd against this virtual device without running into the same restrictions would be present trying to directly obtain physical memory through β€˜/dev/mem’. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 165). BCS Learning & Development Limited. Kindle Edition.

Linux Memory Grabber

This tool is a script that attempts to automate a number of the steps that must be taken to acquire memory from a Linux system. The tool is designed to be run from a USB stick, and automates the installation of kernel modules and creates a profile for the open-source Volatility Framework, a memory forensics suite. Once the USB drive is mounted a single command can be issued to do all the work, making it suitable for folks who might not be as proficient in Linux. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 165). BCS Learning & Development Limited. Kindle Edition.

Tribble

⛔️ Only works if it was in the PC before the incident. ⛔️ Hardware memory acquisition tool.

Includes a write blocker.

Memory Grabber Forensic Tool

PCMCIA card. When plugged into the suspect’s computer, the card provides an interface to a controlled system running forensics software that can be used to analyse the image.